mirror of
https://github.com/dashpay/dash.git
synced 2024-12-27 04:52:59 +01:00
825bba1312
32f8fda7d6
merge bitcoin#24991: allow startup with -onlynet=onion -listenonion=1 (Kittywhiskers Van Gogh)e67ed92d3d
merge bitcoin#25173: add coverage for unknown network in -onlynet (Kittywhiskers Van Gogh)77efd36112
merge bitcoin#24687: Check an invalid -i2psam will raise an init error (Kittywhiskers Van Gogh)fb1416f7cb
merge bitcoin#24205: improve network reachability test coverage and safety (Kittywhiskers Van Gogh)7cb7479829
merge bitcoin#24663: add links to doc/cjdns.md (Kittywhiskers Van Gogh)c736ebf566
merge bitcoin#24555: create initial doc/cjdns.md for CJDNS how-to documentation (Kittywhiskers Van Gogh)554bd24186
partial bitcoin#24468: improve -onlynet help and related tor/i2p documentation (Kittywhiskers Van Gogh)5436b6a82d
merge bitcoin#24165: extend inbound eviction protection by network to CJDNS peers (Kittywhiskers Van Gogh)d52724d039
merge bitcoin#22834: respect -onlynet= when making outbound connections (Kittywhiskers Van Gogh)f9d1a9a00d
merge bitcoin#23077: Full CJDNS support (Kittywhiskers Van Gogh) Pull request description: ## Additional Information * Depends on https://github.com/dashpay/dash/pull/6034 * Depends on https://github.com/dashpay/dash/pull/6035 * If `-proxy=` is given together with `-noonion` then the provided proxy will not be set as a proxy for reaching the Tor network. So it will not be possible to open manual connections to the Tor network for example with the `addnode` RPC. To mimic the old behavior use `-proxy=` together with `-onlynet=` listing all relevant networks except `onion`. * [bitcoin#24165](https://github.com/bitcoin/bitcoin/pull/24165) has been backported _before_ [bitcoin#23758](https://github.com/bitcoin/bitcoin/pull/23758) and to account for this, minor changes were made in `src/test/net_peer_eviction_tests.cpp` (using `nTimeConnected` instead of `m_connected`). When backporting [bitcoin#23758](https://github.com/bitcoin/bitcoin/pull/23758), these changes will have to be reversed as they won't be covered by the cherry-pick diff. * CJDNS support has been labelled as being introduced in Dash Core 21.0, in line with the milestone designation of the PR. Should `develop` be used for a new minor/patch release, `doc/cjdns.md` will have to be modified to reflect the correct version number. ## Breaking changes No expected protocol or consensus changes. ## Checklist: - [x] I have performed a self-review of my own code - [x] I have commented my code, particularly in hard-to-understand areas **(note: N/A)** - [x] I have added or updated relevant unit/integration/functional/e2e tests - [x] I have made corresponding changes to the documentation - [x] I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)_ ACKs for top commit: PastaPastaPasta: utACK32f8fda7d6
Tree-SHA512: e23b22ca5edbe4c4abeab0bc07780303e68e7c4cc46b7697300b0837c5acd3a98649b6b03bd07a23c827bd85f64210173027b0b0eea31872c031fa4ed04eeb0c
243 lines
10 KiB
Markdown
243 lines
10 KiB
Markdown
# TOR SUPPORT IN DASH CORE
|
|
|
|
It is possible to run Dash Core as a Tor onion service, and connect to such services.
|
|
|
|
The following directions assume you have a Tor proxy running on port 9050. Many
|
|
distributions default to having a SOCKS proxy listening on port 9050, but others
|
|
may not. In particular, the Tor Browser Bundle defaults to listening on port 9150.
|
|
See [Tor Project FAQ:TBBSocksPort](https://www.torproject.org/docs/faq.html.en#TBBSocksPort)
|
|
for how to properly configure Tor.
|
|
|
|
## How to see information about your Tor configuration via Dash Core
|
|
|
|
There are several ways to see your local onion address in Dash Core:
|
|
- in the "Local addresses" output of CLI `-netinfo`
|
|
- in the "localaddresses" output of RPC `getnetworkinfo`
|
|
- in the debug log (grep for "AddLocal"; the Tor address ends in `.onion`)
|
|
|
|
You may set the `-debug=tor` config logging option to have additional
|
|
information in the debug log about your Tor configuration.
|
|
|
|
CLI `-addrinfo` returns the number of addresses known to your node per
|
|
network. This can be useful to see how many onion peers your node knows,
|
|
e.g. for `-onlynet=onion`.
|
|
|
|
To fetch a number of onion addresses that your node knows, for example seven
|
|
addresses, use the `getnodeaddresses 7 onion` RPC.
|
|
|
|
## 1. Run Dash Core behind a Tor proxy
|
|
|
|
The first step is running Dash Core behind a Tor proxy. This will already anonymize all
|
|
outgoing connections, but more is possible.
|
|
|
|
-proxy=ip:port Set the proxy server. If SOCKS5 is selected (default), this proxy
|
|
server will be used to try to reach .onion addresses as well.
|
|
You need to use -noonion or -onion=0 to explicitly disable
|
|
outbound access to onion services.
|
|
|
|
-onion=ip:port Set the proxy server to use for Tor onion services. You do not
|
|
need to set this if it's the same as -proxy. You can use -onion=0
|
|
to explicitly disable access to onion services.
|
|
------------------------------------------------------------------
|
|
Note: Only the -proxy option sets the proxy for DNS requests;
|
|
with -onion they will not route over Tor, so use -proxy if you
|
|
have privacy concerns.
|
|
------------------------------------------------------------------
|
|
|
|
-listen When using -proxy, listening is disabled by default. If you want
|
|
to manually configure an onion service (see section 3), you'll
|
|
need to enable it explicitly.
|
|
|
|
-connect=X When behind a Tor proxy, you can specify .onion addresses instead
|
|
-addnode=X of IP addresses or hostnames in these parameters. It requires
|
|
-seednode=X SOCKS5. In Tor mode, such addresses can also be exchanged with
|
|
other P2P nodes.
|
|
|
|
-onlynet=onion Make automatic outbound connections only to .onion addresses.
|
|
Inbound and manual connections are not affected by this option.
|
|
It can be specified multiple times to allow multiple networks,
|
|
e.g. onlynet=onion, onlynet=i2p, onlynet=cjdns.
|
|
|
|
An example how to start the client if the Tor proxy is running on local host on
|
|
port 9050 and only allows .onion nodes to connect:
|
|
|
|
./dashd -onion=127.0.0.1:9050 -onlynet=onion -listen=0 -addnode=ssapp53tmftyjmjb.onion
|
|
|
|
In a typical situation, this suffices to run behind a Tor proxy:
|
|
|
|
./dashd -proxy=127.0.0.1:9050
|
|
|
|
## 2. Automatically create a Dash Core onion service
|
|
|
|
Dash Core makes use of Tor's control socket API to create and destroy
|
|
ephemeral onion services programmatically. This means that if Tor is running and
|
|
proper authentication has been configured, Dash Core automatically creates an
|
|
onion service to listen on. The goal is to increase the number of available
|
|
onion nodes.
|
|
|
|
This feature is enabled by default if Dash Core is listening (`-listen`) and
|
|
it requires a Tor connection to work. It can be explicitly disabled with
|
|
`-listenonion=0`. If it is not disabled, it can be configured using the
|
|
`-torcontrol` and `-torpassword` settings.
|
|
|
|
To see verbose Tor information in the dashd debug log, pass `-debug=tor`.
|
|
|
|
### Control Port
|
|
|
|
You may need to set up the Tor Control Port. On Linux distributions there may be
|
|
some or all of the following settings in `/etc/tor/torrc`, generally commented
|
|
out by default (if not, add them):
|
|
|
|
```
|
|
ControlPort 9051
|
|
CookieAuthentication 1
|
|
CookieAuthFileGroupReadable 1
|
|
```
|
|
|
|
Add or uncomment those, save, and restart Tor (usually `systemctl restart tor`
|
|
or `sudo systemctl restart tor` on most systemd-based systems, including recent
|
|
Debian and Ubuntu, or just restart the computer).
|
|
|
|
On some systems (such as Arch Linux), you may also need to add the following
|
|
line:
|
|
|
|
```
|
|
DataDirectoryGroupReadable 1
|
|
```
|
|
|
|
### Authentication
|
|
|
|
Connecting to Tor's control socket API requires one of two authentication
|
|
methods to be configured: cookie authentication or dashd's `-torpassword`
|
|
configuration option.
|
|
|
|
#### Cookie authentication
|
|
|
|
For cookie authentication, the user running dashd must have read access to
|
|
the `CookieAuthFile` specified in the Tor configuration. In some cases this is
|
|
preconfigured and the creation of an onion service is automatic. Don't forget to
|
|
use the `-debug=tor` dashd configuration option to enable Tor debug logging.
|
|
|
|
If a permissions problem is seen in the debug log, e.g. `tor: Authentication
|
|
cookie /run/tor/control.authcookie could not be opened (check permissions)`, it
|
|
can be resolved by adding both the user running Tor and the user running
|
|
dashd to the same Tor group and setting permissions appropriately.
|
|
|
|
On Debian-derived systems, the Tor group will likely be `debian-tor` and one way
|
|
to verify could be to list the groups and grep for a "tor" group name:
|
|
|
|
```
|
|
getent group | cut -d: -f1 | grep -i tor
|
|
```
|
|
|
|
You can also check the group of the cookie file. On most Linux systems, the Tor
|
|
auth cookie will usually be `/run/tor/control.authcookie`:
|
|
|
|
```
|
|
TORGROUP=$(stat -c '%G' /run/tor/control.authcookie)
|
|
```
|
|
|
|
Once you have determined the `${TORGROUP}` and selected the `${USER}` that will
|
|
run dashd, run this as root:
|
|
|
|
```
|
|
usermod -a -G ${TORGROUP} ${USER}
|
|
```
|
|
|
|
Then restart the computer (or log out) and log in as the `${USER}` that will run
|
|
dashd.
|
|
|
|
#### `torpassword` authentication
|
|
|
|
For the `-torpassword=password` option, the password is the clear text form that
|
|
was used when generating the hashed password for the `HashedControlPassword`
|
|
option in the Tor configuration file.
|
|
|
|
The hashed password can be obtained with the command `tor --hash-password
|
|
password` (refer to the [Tor Dev
|
|
Manual](https://2019.www.torproject.org/docs/tor-manual.html.en) for more
|
|
details).
|
|
|
|
|
|
## 3. Manually create a Dash Core onion service
|
|
|
|
If you configure your Tor system accordingly, it is possible to make your node also
|
|
reachable from the Tor network. Add these lines to your /etc/tor/torrc (or equivalent
|
|
config file): *Needed for Tor version 0.2.7.0 and older versions of Tor only. For newer
|
|
versions of Tor see [Section 4](#4-automatically-listen-on-tor).*
|
|
|
|
HiddenServiceDir /var/lib/tor/dashcore-service/
|
|
HiddenServicePort 9999 127.0.0.1:9996
|
|
|
|
The directory can be different of course, but virtual port numbers should be equal to
|
|
your dashd's P2P listen port (9999 by default), and target addresses and ports
|
|
should be equal to binding address and port for inbound Tor connections (127.0.0.1:9996 by default).
|
|
|
|
-externalip=X You can tell Dash Core about its publicly reachable addresses using
|
|
this option, and this can be an onion address. Given the above
|
|
configuration, you can find your onion address in
|
|
/var/lib/tor/dashcore-service/hostname. For connections
|
|
coming from unroutable addresses (such as 127.0.0.1, where the
|
|
Tor proxy typically runs), onion addresses are given
|
|
preference for your node to advertise itself with.
|
|
|
|
You can set multiple local addresses with -externalip. The
|
|
one that will be rumoured to a particular peer is the most
|
|
compatible one and also using heuristics, e.g. the address
|
|
with the most incoming connections, etc.
|
|
|
|
-listen You'll need to enable listening for incoming connections, as this
|
|
is off by default behind a proxy.
|
|
|
|
-discover When -externalip is specified, no attempt is made to discover local
|
|
IPv4 or IPv6 addresses. If you want to run a dual stack, reachable
|
|
from both Tor and IPv4 (or IPv6), you'll need to either pass your
|
|
other addresses using -externalip, or explicitly enable -discover.
|
|
Note that both addresses of a dual-stack system may be easily
|
|
linkable using traffic analysis.
|
|
|
|
In a typical situation, where you're only reachable via Tor, this should suffice:
|
|
|
|
./dashd -proxy=127.0.0.1:9050 -externalip=7zvj7a2imdgkdbg4f2dryd5rgtrn7upivr5eeij4cicjh65pooxeshid.onion -listen
|
|
|
|
(obviously, replace the .onion address with your own). It should be noted that you still
|
|
listen on all devices and another node could establish a clearnet connection, when knowing
|
|
your address. To mitigate this, additionally bind the address of your Tor proxy:
|
|
|
|
./dashd ... -bind=127.0.0.1
|
|
|
|
If you don't care too much about hiding your node, and want to be reachable on IPv4
|
|
as well, use `discover` instead:
|
|
|
|
./dashd ... -discover
|
|
|
|
and open port 9999 on your firewall (or use port mapping, i.e., `-upnp` or `-natpmp`).
|
|
|
|
If you only want to use Tor to reach .onion addresses, but not use it as a proxy
|
|
for normal IPv4/IPv6 communication, use:
|
|
|
|
./dashd -onion=127.0.0.1:9050 -externalip=7zvj7a2imdgkdbg4f2dryd5rgtrn7upivr5eeij4cicjh65pooxeshid.onion -discover
|
|
|
|
|
|
## 3.1. List of known Dash Core Tor relays
|
|
|
|
cmhr5r3lqhy7ic2ebeil66ftcz5u62zq5qhbfdz53l6sqxljh7zxntyd.onion
|
|
k532fqvgzqotj6epfw3rfc377elrj3td47ztad2tkn6vwnw6nhxacrqd.onion
|
|
v7ttoiov7rc5aut64nfomyfwxt424ihufwvr5ilf7moeg3fwibjpjcqd.onion
|
|
snu2xaql3crh2b4t6g2wxemgrpzmaxfxla4tua63bnp2phhxwr6hzzid.onion
|
|
fq63mjtyamklhxtskvvdf7tcdckwvtoo7kb5eazi34tsxuvexveyroad.onion
|
|
5v5lgddolcidtt2qmhmvyka2ewht4mkmmj73tfwuimlckgmqb5lthtid.onion
|
|
|
|
You can easily validate which of these are still online via nc such as
|
|
```
|
|
nc -v -x 127.0.0.1:9050 -z *.onion 9999
|
|
```
|
|
|
|
## 4. Privacy recommendations
|
|
|
|
- Do not add anything but Dash Core ports to the onion service created in section 3.
|
|
If you run a web service too, create a new onion service for that.
|
|
Otherwise it is trivial to link them, which may reduce privacy. Onion
|
|
services created automatically (as in section 2) always have only one port
|
|
open.
|